MalwareUsed by 1 actor

httd

httd is a Go-based Linux implant identified within an exposed Roundcube exploitation toolkit environment dubbed Roundish. It was found in an exfiltrated archive from blog.pentagonteam[.]com, and the recovered toolkit was assessed with medium-high confidence to align with APT28 (Fancy Bear/Sednit), a Russia GRU-attributed threat actor, based on multiple technical overlaps with Operation RoundPress. The implant is described as providing persistence on Linux systems via cron, systemd, and SELinux policy manipulation. The broader Roundish toolkit targeted webmail, especially Roundcube, for credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and extraction of 2FA/TOTP secrets, with confirmed targeting of mail.dmsu.gov.ua, the Ukrainian State Migration Service Roundcube instance. A reported sample hash for httd is SHA-256 e76f54b7b98ba3a08f39392e6886a9cb3e97d57b8a076e6b948968d0be392ed8.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

APT28

A Go-based Linux implant (httd) found in a compromised environment provides persistence via cron, systemd, and SELinux.

via huntio bloghunt.io

MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1190Exploit Public-Facing ApplicationEvidence1

The toolkit targets Roundcube webmail and supports credential harvesting, persistent mail forwarding, bulk email exfiltration, address book theft, and 2FA secret extraction.

Execution

1 technique

T1053.003CronEvidence2

A Go-based Linux implant (httd) found in a compromised environment provides persistence via cron, systemd, and SELinux.

Persistence

2 techniques

T1053.003CronEvidence2

A Go-based Linux implant (httd) found in a compromised environment provides persistence via cron, systemd, and SELinux.

T1543.002Systemd ServiceEvidence2

A Go-based Linux implant (httd) found in a compromised environment provides persistence via cron, systemd, and SELinux.

Privilege Escalation

2 techniques

T1053.003CronEvidence2

A Go-based Linux implant (httd) found in a compromised environment provides persistence via cron, systemd, and SELinux.

T1543.002Systemd ServiceEvidence2

A Go-based Linux implant (httd) found in a compromised environment provides persistence via cron, systemd, and SELinux.

Stealth

1 technique

T1036.005Match Legitimate Resource Name or LocationEvidence1

"snmpd.elf, httd, linux.service" and "masquerading a payload as a legitimate ext4 filesystem check utility"

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

"On SELinux-enforcing systems, it generates and loads a custom policy module using audit2allow to whitelist its own execution."

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app3 months ago

domain●●●●●●●●●●●●View more in app3 months ago

hash.md5●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app3 months ago

hash.md5●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

ctoatncsc substackNews

Mar 14, 2026

CTO at NCSC Summary: week ending March 15th

A Go-based Linux implant that provides persistence through cron, systemd, and SELinux.

huntio blogNews

Mar 11, 2026

Operation Roundish: Uncovering an APT28 Roundcube Exploitation Toolkit Targeting Ukraine

A statically-linked, stripped Go ELF backdoor implant providing multi-method persistence (cron job executing /.img, systemd service linux.service from /boot, and SELinux policy manipulation via audit2allow/semodule). Strings indicate additional capabilities including HTTP/2, SSH client, WebSockets, staging/downloader behavior, and host reconnaissance.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.